In the art of filtering email for Spam messages, one standard tool that is commonly used is a compiled data list defining user-approved contact email addresses, which is a list commonly known in the art as a whitelist. A whitelist is a list of user contacts typically taken from a user's email address book and used to validate incoming email by comparing the sender address of the email to the addresses in the list. For example, if an email arrives for the user and the sender address is found in the user's whitelist of trusted contacts, then that particular email is typically allowed through to the user's inbox. If the sender's address is not in the list then the user may be alerted of possible Spam.
It is common in the art to use whitelists that are manually constructed or built from a user's address book. Whitelists, however, may be difficult to build and maintain. If a user is not diligent in maintaining a comprehensive address book, for example, the associated filtering system may not have a comprehensive list and as a result may not make good decisions.
One drawback to current whitelisting techniques is that they may be relatively inflexible in terms of contact identification. For example, in collaboration, a trusted contact might send an email that also identifies other trusted contacts through such as carbon copy (CC) and blind carbon copy (BCC) identification. However, if the user does not physically add those trusted contacts to his or her address book, then an email sent to the user from one of the trusted contacts may not get through to the user because it is not on the whitelist. Whitelists may also be inflexible in that modification (adding or deleting contacts) often is largely a manual process involving much work for a user. While some effort at automation in building whitelists has occurred in the art, that effort has typically fallen short of a goal of flexibility, as it typically involves use of keys or tags that may inadvertently be attributed to undesirable sender addresses. Additionally if a contact formerly trusted becomes a distrusted contact, the contact is typically manually removed or blocked.
Further to the above, careful observers, using tools developed for the purpose, have developed considerable knowledge of techniques used by spammers. Spam campaigns, and characteristics of their operation are tracked and recorded, and used in efforts to block spam. At the same time, spammers study the new tools and techniques used to block their efforts, and try to develop new and better techniques for overcoming the obstacles placed in their paths. Among the characteristics of spam campaigns are certain traffic characteristics that indicate a possibility that email campaigns may be spam.
Therefore, what is clearly needed in the art is a method and apparatus providing probability that certain emails or email campaigns may be spam, and used for such developed probabilities, such as from network traffic characteristics.